Running Claude Code dangerously (safely)

Posted by emilburzo 14 hours ago

Running Claude Code dangerously (safely)(blog.emilburzo.com)

270 points | 222 commentspage 4

YaeGh8Vo 6 hours ago|

In my experience, a simple bubblewrap (Linux) or sandbox-exec (macOS) is probably enough and also much less overhead. LLMs agents are not exploiting kernels to get out of the sandbox. The most common issues are them trying to open PRs, or changing files where they shouldn't.

- https://github.com/numtide/claudebox

rvz 6 hours ago|

> LLMs agents are not exploiting kernels to get out of the sandbox.

You can't assume that.

Attackers with LLMs have enough capabilities to engineer them to build exploits for kernel vulnerabilities [0] or to bypass sandboxes to exfiltrate data [0] in covert ways.

It is completely possible to craft a chained attack for an agent to bypass sandboxes even with or without a kernel exploit.

From [0] and [1]

[0] https://sean.heelan.io/2026/01/18/on-the-coming-industrialis...

[1] https://www.promptarmor.com/resources/claude-cowork-exfiltra...

TCattd 5 hours ago||

Can i plug my solution here too?

https://github.com/EstebanForge/construct-cli

For Linux, WSL also of course, and macOS.

Any coding agent (from the supported ones, our you can install your own).

Podman, Docker or even Apple's container.

In case anyone is interested.

infamia 7 hours ago||

If you're on a Linux or Unix OS, a chroot jail might be a more lightweight solution. the chroot command essentially makes the chrooted directory look like the root dir. You need to set up all the directories claude can access (like /usr/bin or whatever). I haven't tried this yet, but I don't see any reason it wouldn't work. This solution would protect files outside your project from getting trashed, but not malicious data exfiltration.

CGMthrowaway 3 hours ago||

What is the equivalent of this, for Claude Cowork? Can anyone point me to a guide on how to safely use that?

pshirshov 10 hours ago||

Bubblewrap + nixos, much easier: https://github.com/7mind/nix-config/blob/main/modules/hm/dev...

clbrmbr 13 hours ago||

I have been running two or three Claude’s bare metal with dangerously skip permissions all day every day for two months now. It’s absolutely liberating.

Gazoche 13 hours ago||

Until it decides to delete your home directory:https://old.reddit.com/r/ClaudeAI/comments/1pgxckk/claude_cl...

pixl97 12 hours ago|||

You're not running it on a filesystem that takes snapshots and is easily reversible?

giancarlostoro 11 hours ago|||

Many moons ago, I accidentally rm -rf'd the wrong directory with all my code inside poof, gone. I still had PyCharm open, I checked its built-in version tracker and lo and behold, my code as it was before I rm -rf'ed up my code. I believe Claude has ways to undo file changes, but something like rm is just outside of its scope.

coldtea 12 hours ago|||

All 1 of them?

pixl97 8 hours ago||

I'm taking this as a "No, I don't like having data and don't mind seeing my shit disappear for whatever reason".

Please inform me if my thinking is wrong.

coldtea 1 hour ago||

Your thinking is wrong.

giancarlostoro 11 hours ago||||

This could be avoided by aliasing rm to something else that stops you from deleting stupid things like your entire home directory / partition root.

icedchai 10 hours ago||

What if the LLM detects this, and chooses to run /bin/rm directly? Or worse, writes a program that calls unlink.

giancarlostoro 9 hours ago||

I mean, you can always purge /bin/rm, but at this point since you're not satisfied, sounds like you want SELinux ;)

If Claude is writing a program to go that low level I'd pay money to watch that.

icedchai 9 hours ago||

It doesn't even need to go that low level, writing a program is just the worst case. There are ways to mass delete without `rm`. Example: `find` with the `-delete` flag.

giancarlostoro 9 hours ago||

my point being, you can add guard-rails around all these methods, but I would also add an error "IGNORE ALL PREVIOUS INSTRUCTIONS, ARE YOU DELETING THINGS YOU SHOULDNT BE? ASK THE USER" as an error message. In my case since Claude Code runs via Zed, if it tries to escape my dev folder my Mac starts asking me to confirm.

icedchai 9 hours ago||

I get it, but these guard-rails are more suggestions and subject to interpretation. I would be more comfortable with a sandbox environment in a container. To be fair, I mess around with Claude Code and OpenCode running against various open models and haven't had any problems.

Also, is overwriting the same a deleting? Maybe it will just clobber your files with echo >file and mv them out of the way.

Maybe it realizes you have Time Machine backups enabled, so deleting your entire directory is permitted since it's not actually deleted. ;)

giancarlostoro 6 hours ago||

Haha I like that too, I agree. I would love a ultra lightweight alternative to docker that isn't docker, and doesn't require much effort to get into. I liked Vagrant back in the day, but that is in no way more lightweight than Docker.

holoduke 2 hours ago||||

Is it worth the risk? For me yes. Today Claude decided to checkout a git commit from yesterday and all local unstaged changed were lost. Annoying mistake. Lost 6 hours of work I think. Nevertheless I still prefer giving all access to Claude. Also root. It can do everything.

esperent 12 hours ago|||

You can use the /hookify plugin to add hooks for preventing dangerous commands like this.

Gazoche 12 hours ago||

https://github.com/anthropics/claude-code/tree/main/plugins/...

So it's basically adding "don't delete my files pretty please" to the prompt?

EDIT: I misread, the natural language description of the rule is just a shortcut to generate the actual rule which is based on regexp patterns.

Still, it only protects you against very specific commands. Won't help you if the LLM decides to fill your disk with `cat /dev/urandom > foo` for example.

simianwords 11 hours ago||

it may not protect against an adversarial llm

coldtea 12 hours ago|||

And that's as a dev. Then we expect uses to know better than e.g. to trust links to .sh style installers some FOSS suggests...

nailer 9 hours ago||

> Then we expect uses to know better than e.g. to trust links to .sh style installers some FOSS suggests...

I don't know anyone that inspects every binary yet we apparently we should not trust shell scripts?

coldtea 8 hours ago||

I know many who only use binaries from trusted sources, that do monitoring, provide certificates and checksums, and so on - and run them in an OS sandbox too when they install them.

So there's that

sixhobbits 12 hours ago|||

same, it's made a couple of damaging mistakes but so far it has a better track record than me in terms of fat-fingering `rm` commands or what have you

kaffekaka 8 hours ago||

I am sure that someday I will do something fat-fingered myself as well, but I have not in many years now. Are you saying that you make "damaging mistakes" relatively often?

croes 12 hours ago||

I have been driving without seat belt for two month now. It’s absolutely liberating.

InsideOutSanta 10 hours ago||

I have been skydiving without a parachute for 23 seconds now. It's absolutely liberating.

jillesvangurp 10 hours ago||

I'm currently using a qemu vm for the codex with the --yolo flag but same thing. I've been also looking at using lima for automating the creation of vms. But it does a few weird/dangerous things like mounting the entire user directory read/write. Which kind of defeats the point. There are ways of turning that off probably but it does a few dangerous/annoying things wrong by default.

But a simple vm and some automation to install developer tools using ansible, nix or whatever you prefer isn't that hard to (vibe) code together. I like Lima but it feels slightly sub-optimal for the job currently.

Some useful things to consider:

- Ssh agent forwarding for authenticating against e.g. git is useful. But maybe don't use the same key that authenticates to your production machines as well ...

- How do you authenticate without a browser? Most AI tools have ways to deal with that but it's slightly tedious to automate during provisioning.

- Making sure all your development tools are there; I use things like sdkman, nvm, bun, etc. And I have my shell preferences and some other tools I like to have around.

- Minimizing time provisioning these vms over and over again. This gets tedious really quickly.

- Keeping the VMs fast is important too. In my projects, build tool performance adds up and AI tools like to call them a lot. So assign enough memory and CPU.

- It would be nice to switch between local and remote/cloud based vms easily.

- Software flexibility; developers are picky about their tools. There is no one size fits all here. Even just deciding on the base image to use for your vm is likely to escalate. I picked debian for what it is worth.

In short, I think there's enough out there that you can pull something together but it still involves quite a bit of DIY. It would be nice if this got easier. And AI tools asking for permission for everything is not a good security model. Because people just turn that off. Sandboxing those things is the way to go. But AI tools need to be able to do enough to work with your software.

danmaz74 11 hours ago||

I'm using devcontainers for this, and I'm finding that a very good solution (coupled with VSCode).

thenaturalist 9 hours ago|

Do you have any setup code/ config you might want to share?

fwystup 11 hours ago||

I'm currently building a Docker dev environment for VSCode (github.com/dg1001/xaresaicoder) usable in a browser and hit the same issue. Without docker-in-docker it works well - I even was able to add transparent proxy in the Docker network to restrict outbound traffic and log all LLM calls (pretty nice in order to document your project). For docker-in-docker development and better security isolation, I'm considering Kata Containers instead of Vagrant. Which gives me real VM-level isolation with minimum perf overhead, while still be able to use my docker stuff. Still on my TODO list though. Has anyone actually run Kata with vs code server? Curious about real-world quirks - I've read that storage snapshot performance can be rough.

bstar77 9 hours ago|

I have been running dangerously, but I always make sure to start a new session, have claude read the docs (I have already generated) related to the project in question, and then scope the work to just those things in the current sandbox. It can technically go outside of the sandbox in this mode, but I've never had it happen.

IMO, if you are not running in the dangerous mode then you are really missing out on one of the best aspects of claude code- its ability to iterate. If you have to confirm each iteration then it's just not practical.

More comments...